Tag: hackers

Australia’s weapons programs exposed in defence industry cyber attacks

A series of cyber attacks on defence industry supply chain contractors has exposed threats to Australia’s weapons programs, security analysts say.

Over the past week, it was revealed that a hacker group shared material about Australia’s $7 billion Land 400 military program after allegedly breaching several Israeli defence companies.

The Cyber Toufan group posted images and details on Telegram about the Australian Defence Force’s (ADF) next-generation Redback infantry fighting vehicle.

Israeli weapons manufacturer Elbit Systems is involved in the project, supplying the vehicle’s high-tech turrets.

Another group claimed responsibility for a cyber attack on IKAD Engineering, a key player in the Australian defence industry.

The J Group ransomware gang alleges it infiltrated the company’s systems for five months in what it described as a “staycation in the defence supply chain”.

The hackers claimed they obtained information relating to Australian naval contracts, including the Hunter Class frigate and Collins Class submarine programs.

IKAD Engineering chief executive Gerard Dyson confirmed the incident, saying an “external third party” had gained unauthorised access to a portion of its internal IT systems

He said so far only “non-sensitive project information” had been impacted, along with employee files, adding that IKAD did not have direct connections into ADF systems. 

Cybersecurity experts warned even non-sensitive data could have strategic value, and the attacks should be a “wake-up call”.

Keep reading

Congressional Budget Office Plagued by ‘Ongoing’ Cybersecurity Breach

When the agency that crunches Washington’s numbers can’t even secure its own, it’s hard not to see a metaphor in the math.

The Congressional Budget Office confirmed this week that it’s battling an “ongoing” cybersecurity incident — one that, by all accounts, has stretched on for days and remains unresolved.

Politico first reported the breach, noting that CBO officials are still assessing the full scope of the intrusion and what data, if any, may have been compromised.

The nonpartisan agency, which provides cost estimates and fiscal analyses to Congress, said it has added new monitoring systems and security controls while a full investigation continues.

The CBO has not said whether sensitive information was stolen or who might be behind the attack, the Associated Press reported. Officials also declined to specify how long the agency’s systems have been affected.

Reuters added that Senate offices were warned by the chamber’s Sergeant at Arms that email communications with the CBO might have been exposed, potentially giving hackers a chance to spoof messages or launch phishing attempts.

That advisory urged congressional staff to treat any CBO-related email traffic with extra caution until the incident is fully contained.

While the agency insists its work for lawmakers continues uninterrupted, the breach’s duration has sparked questions about whether the CBO’s analytical models and data pipelines could have been tampered with.

Experts told the Associated Press that a breach described as “ongoing” suggests investigators are still chasing active threats within the network rather than cleaning up a finished intrusion.

The incident comes at a sensitive time for Congress, with fiscal debates, spending fights, and shutdown negotiations all relying on the CBO’s projections to guide votes and policy.

Reuters noted that the longer such breaches persist, the greater the risk that attackers can map internal systems, gather intelligence, or establish backdoors for later use.

The Washington Post reported that early assessments point to a possible foreign actor, though officials have not publicly attributed the breach to any specific nation or group.

In a statement, the CBO said it “continually monitors” for cyber threats and had taken “immediate action” to safeguard its systems once the incident was detected.

Still, the episode has renewed scrutiny of cybersecurity readiness across federal agencies — particularly those, like the CBO, that don’t handle classified data but remain critical to day-to-day government operations.

Keep reading

Researchers expose large-scale YouTube malware distribution network

Check Point researchers have uncovered, mapped and helped set back a stealthy, large-scale malware distribution operation on YouTube they dubbed the “YouTube Ghost Network.”

The network published more than 3,000 videos across compromised or fake channels, luring viewers with game cheats, cracked software, or pirated tools, but instead delivering malware or phishing pages. 

The YouTube Ghost Network

The YouTube Ghost Network is strikingly similar to the Stargazers Ghost Network, a previously uncovered network of fake or hijacked GitHub accounts that served as a malware and phishing link Distribution-as-a-Service.

In the Stargazers Ghost Network, different accounts filled different roles. Some accounts directed targets to malicious downloads, others served malware, and others still starred, forked, and subscribed to malicious repositories, in an obvious attempt to make the other accounts appear legitimate to potential victims.

Similarly, the YouTube Ghost Network consists of video accounts, post accounts, and interact accounts.

Video accounts, which are either hijacked or created by the malware peddlers, upload videos that promise something appealing, e.g., a free/cracked version of Adobe Photoshop, or game hacks for popular games like Roblox. The descriptions contain download links or direct viewers to password-protected archives on services like Dropbox, Google Drive or MediaFire, and they often tell users to temporarily disable Windows Defender before installing the downloaded cracked software.

Post accounts publish community posts with the same links and passwords, and interact accounts flood comment sections with fake endorsements, creating a false sense of trust.

Keep reading

China Escalates Cyberattacks That Are Increasingly Hard To Detect

AChinese hacking group is reportedly behind a significant espionage campaign targeting U.S. technology firms and legal services, highlighting a worrisome escalation in China’s cyber “Cold War” with the United States.

Since March 2025, Google’s Threat Intelligence Group and its cybersecurity subsidiary, Mandiant, have tracked suspicious activities, delivered over a backdoor malware known as “BRICKSTORM.” This sophisticated campaign is targeting a variety of sectors, including law firms, software-as-a-service providers, and other technology companies. Following extensive monitoring and analysis, Google has linked these hacking efforts to UNC5221, a long-suspected Chinese Advanced Persistent Threat (APT) actor, alongside other “threat clusters” associated with China.

The BRICKSTORM campaign is especially disturbing for two primary reasons. Firstly, it was crafted to ensure “long-term stealthy access” by embedding backdoors into targeted systems, enabling hackers to dodge conventional detection and response methods. The stealth campaign has proven so adept that, on average, these intruders remain undetected in targeted systems for nearly 400 days, as revealed by a Google report.

Secondly, the motivations behind these cyberattacks transcend the theft of trade secrets and national security data. Google suspects that these hackers are also probing for “zero-day vulnerabilities targeting network appliances,” as well as “establishing pivot points for broader access” to additional victims. This indicates a strategy to gather intelligence that could be pivotal to the Chinese military should tensions escalate between the U.S. and China.

Xi Jinping, the leader of Communist China, has consistently expressed his ambition for the nation to become a “cyber superpower.” With this goal in mind, the Chinese government has invested significant resources in building a formidable cyber army.

The People’s Liberation Army (PLA) considers cyber warfare to be a crucial aspect of both its defensive and offensive strategies, alongside traditional military forces. Cyberattacks are viewed as a cost-effective means to undermine an opponent’s will to fight by targeting its economic, political, scientific, and technological systems.

Thus, the PLA reportedly employs as many as 60,000 cyber personnel, ten times larger than the U.S. Cyber Command’s Cyber Mission Force. Additionally, a higher proportion of the PLA’s cyber force is dedicated to offensive operations compared to the United States (18.2 percent versus 2.8 percent).

Alongside China’s official cyber force, the Ministry of State Security and the Ministry of Public Security have adopted a “pseudo-private” contractor model that allows them to hire civilian hackers to conduct cyber espionage abroad while obscuring the Chinese government’s involvement.

Over time, the Communist regime has also significantly advanced its cyber operation capabilities. Today, China’s cyber operations are increasingly sophisticated, utilizing advanced tactics, techniques, and procedures to infiltrate victim networks, according to a U.S. government report.

The BRICKSTORM attack is part of a long series of high-profile cyberattacks originating from China in recent years. Between 2023 and 2024, Salt Typhoon, a Chinese hacking group linked to the Ministry of State Security accessed U.S. wireless networks operated by companies such as AT&T and Verizon, “as well as systems used for court-appointed surveillance.” This breach resulted in the compromise of telecommunication data for over a million American users, including individuals involved in both Trump’s and then-Vice President Kamala Harris’s presidential campaigns.

Keep reading

Roughly 70,000 Government ID Photos Potentially Stolen in Discord Hack

Government ID photos of around 70,000 Discord users, collected for age verification purposes, may have been stolen in a hack, the company said in an Oct. 9 update. Discord is a group chat app used largely by programmers and gamers.

Initially announced on Oct. 3, the data breach occurred on the systems of third-party vendor 5CA, which Discord uses for customer support efforts. The malicious actor aimed to extort a financial ransom from Discord, the company stated.

According to Discord, the unauthorized party “gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams.”

“No messages or activities were accessed beyond what users may have discussed with Customer Support or Trust & Safety agents,” the company said.

“Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.”

Age-related appeals refer to instances when users were locked out of the app due to being reported as underage and then had to submit photo IDs to verify their age and unlock their accounts.

Keep reading

The country that inspired Keir Starmer’s digital ID card fiasco: Labour’s blueprint for Britain is a ‘goldmine for hackers and scammers to steal your money’

Estonia’s digital identity system has been beset by blunders and security issues that  allow hackers to steal data and help scammers take money, we can reveal.

The digital ID system used by 1.4million people in the Baltic state country is said to be the blueprint for Keir Starmer‘s so-called Brit Card. 

Digital ID cards showing a resident’s picture, name, unique number and date of birth, and including a microchip storing more personal information, have been used in the former Soviet republic for more than 20 years.

Estonians can hold their cards in e-wallets on mobile phones and use them to vote, check on bank accounts, e-sign contracts and invoices, file tax returns, claim benefits, book medical appointments, access health records, shop online, and even collect supermarket loyalty points.

But the much-praised scheme in Estonia has suffered security lapses that have allowed fraudsters to bypass encryption systems to con victims out of their savings and leak the names and photographs of citizens.

The Daily Mail can reveal that users have also repeatedly fallen victim to phishing emails and calls from scammers who have persuaded them to disclose PIN numbers for their cards and stolen cash from their bank accounts in a grim warning of what could happen in the UK.

Official figures reveal that citizens of so-called ‘E-Stonia’ lost more than 7million euros to fraud last year with 837 ‘significant’ incidents recorded, up from 546 in 2023, although the true figure is thought to be much higher due to many cases being unreported.

Reports suggest that the amount lost to fraud in Estonia has soared since last year with a total of 7.5million euros lost in the first six months this year.

A large number of the cases reported by Estonia’s Police and Border Guard are thought to involve personal information from ID cards being stolen due to people being tricked into revealing PIN codes.

Keep reading

Discord Support Data Breach Exposes User IDs, Personal Data

A data breach affecting a third-party customer service provider used by Discord has exposed personal information from users who had contacted the platform’s support teams and among the data accessed were some images of government-issued IDs submitted by users.

The incident will amplify growing concerns around online ID verification, a practice increasingly mandated by governments as a way to enforce age restrictions online.

While Discord confirmed that the attacker did not breach its internal systems, the compromise of a vendor handling sensitive user data shows how collecting official identification, even in limited cases, creates serious and lasting privacy risks.

The compromised vendor had supported Discord’s Customer Support and Trust & Safety teams, and the attacker targeted it in an effort to extort money.

While the breach did not involve Discord’s internal systems, sensitive user data was exposed.

The company stated that the attacker accessed information from a “limited number of users” who had interacted with support staff.

Keep reading

US Cyber Agency Issues Emergency Directive Amid Major Hacking Campaign Targeting Cisco

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive asking federal agencies to take immediate action to identify and mitigate system vulnerabilities to protect their devices from a major hacking campaign, the agency said in a Sept. 25 statement.

This widespread campaign poses a significant risk to victims’ networks by exploiting zero-day vulnerabilities that persist through reboots and system upgrades,” CISA said.

Zero-day vulnerabilities refer to unknown or unaddressed security flaws in computer hardware, firmware, or software. Such vulnerabilities are called “zero-day” since the software or device with such flaws has zero days to fix the issue, thus enabling hackers to immediately exploit them.

According to the directive, Cisco has assessed that the hacking campaign is linked to the threat actor ArcaneDoor.

A May 2024 post by computer and network security company Censys said an investigation of IPs controlled by ArcaneDoor suggested “the potential involvement of an actor based in China, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software.”

Four out of five IP hosts analyzed by Censys were found to be in China, with some linked to Chinese conglomerate Tencent and Chinese telecom company ChinaNet.

Networks like Tencent and ChinaNet have extensive reach and resources, so they would make sense as an infrastructure choice for a sophisticated global operation like this one,” Censys said in its post.

In a Sept. 25 statement, Cisco said it had been engaged by multiple government agencies in May to provide support to an investigation into attacks targeting the company’s ASA devices.

The company said it has “high confidence” that the hacking activity was related to ArcaneDoor.

Cisco assesses with high confidence that upgrading to a fixed software release will break the threat actor’s attack chain and strongly recommends that all customers upgrade to fixed software releases,” the company said.

Keep reading

John Bolton’s personal email account was hacked by foreign entity, FBI docs reveal

Former National Security Adviser John Bolton allegedly used a private email account that was at one point hacked by a “foreign entity,” an FBI search warrant affidavit released Friday revealed. 

The 41-page document –  used by federal investigators to justify the raid of Bolton’s Maryland home last month – suggests the hacking incident gave the FBI reason to believe the former Trump administration official mishandled classified records. 

The Post previously reported that Bolton allegedly used his personal email account to send “highly sensitive” documents to his family while working in the White House.

“Hack of Bolton AOL Account by Foreign Entity,” reads a section of the affidavit, where investigators explained the probable cause for the searches. 

The roughly 10 pages detailing the hacking incident are completely redacted. It’s unclear which foreign nation may have been responsible. 

Keep reading

U.S. places $11 million bounty on Ukrainian ransomware mastermind — Tymoshchuk allegedly stole $18 billion from large companies over 3 years

The United States has placed an $11 million bounty on Volodymyr Tymoshchuk, a Ukrainian man wanted for his involvement with a string of ransomware cybercrimes. Tymoshchuk faces severe federal charges for his part in reportedly masterminding the theft of a combined $18 billion over a three year period.

Tymoshchuk is accused of being the kingpin behind the MegaCortex, LockerGoga, and Nefilim attacks, a string of attacks that were active from Dec. 2018 to Oct. 2021. The MegaCortex attack, which we covered in 2019, changes the Windows passwords and encrypts the files of a host computer, threatening to make sensitive files public if the ransom went unpaid.

“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms,” said U.S. Attorney Joseph Nocella Jr. in a statement from the Justice Department. One of the highest-profile thefts linked to Tymoshchuk and LockerGoga was the attack on Norsk Hydro, a renewable energy company based in Norway. The attack on Norsk caused a reported $81 million in damages as all of its 170 sites were impacted at some level.

Nocella continued, “For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

Tymoshchuk is alleged to have run the LockerGoga and MegaCortex offensives from July 2019 and June 2020, at which point the two ransomware viruses went largely dark. From then on, Tymoshchuk is accused of having helped to engineer and administrate the Nefilim ransomware strain, selling access to it to attackers in exchange for 20% of the ransomed funds received from each successful attack.

An unsealed indictment, archived by The Register, lists a number of unnamed victim companies from across the United States and Europe. Tymoshchuk is on the hook for seven total charges relating to intentional damage to a private computer and threatening to disclose private information. If found guilty Tymoshchuk faces a maximum sentence of life in prison.

Keep reading